Sharing data to safeguard children FAQs
Information Commissioner, John Edwards, makes it clear in this video that data protection law is not a barrier to sharing data to protect a child from harm.
Last year, we hosted a session at the Data Protection Practitioners’ Conference 2022 on sharing data to safeguard children. These FAQs cover the remaining questions that we didn’t have time to answer on the day.
We are currently producing a sector-specific resource with support from the Children’s Commissioners Office. Please look out for updates in our newsletter, which you can sign up to here.
1. Where can I find guidance and tools to support my role?
Our data sharing information hub provides clear guidance and practical tools for organisations. We can help them learn how to share data lawfully, while protecting people’s personal information.
We are also producing a resource to assist people working in children’s safeguarding.
2. How long should we keep data?
You should only keep personal data for as long as you need it. There aren’t any set time limits in data protection law. It depends on your situation and your reason for processing the data. You must justify and document how long you need to keep it.
It is important to remember that you shouldn’t keep data for longer than you need it or ‘just in case’. You can find more information on data retention on our storage limitation guidance.
3. What lawful basis should I use?
You must have a lawful basis in order to process personal data. Data protection law sets out six lawful bases for processing. No single basis is ’better’ or more important than the others. The most appropriate basis depends on your purpose and on your relationship with the person. Often, consent isn’t the most appropriate lawful basis. In many cases, relying on public task, legal obligation or legitimate interests is more appropriate.
Our lawful basis interactive guidance tool helps you determine which lawful basis to use. To find more information, visit our lawful basis for processing guidance.
4. Do I need to obtain consent to share a child’s personal data?
One common data protection myth is that you need a child’s consent to share their personal data. You do not need consent to share a child’s data for safeguarding purposes.
Sometimes consent in data protection terms, ie lawful basis, is conflated with other procedures and practices. For example, in the context of charities sharing the data of homeless people, there is a requirement for people to give their ‘consent’ for a referral to a local authority for support. This is completely separate from the data protection lawful basis of consent and you should not confuse the two.
5. Do I need to tell a child that I am sharing their personal data?
The default position is yes. If you are processing a child’s personal data, you need to inform them how you are using their personal data, including who you are sharing it with. This is called the right to be informed. The easiest way to inform people is through clear and accessible privacy information. In some cases, the right to be informed may not apply. For example, some situations may occur where informing a child could cause further harm.
Find more information on our right to be informed guidance.
6. How can we ensure the secure transfer of data between two organisations?
You must determine the appropriate method to share data. You need to consider the risks and could also consider people’s preferences.
The UK GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard people’s rights. This is ‘data protection by design and by default’. You can find more information on our data protection by design and default guidance.
You must comply with the security principle of UK GDPR. This ensures that data is secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. You can find more information on our security guidance.
You must also comply with the accountability principle of UK GDPR. This means that you are responsible for your compliance with UK GDPR and should demonstrate this. You can find more information on our accountability guidance.
7. Some organisations hide behind UK GDPR, using it as an excuse not to share information regarding safeguarding cases.
The UK GDPR is not a barrier to data sharing; it provides a framework for data sharing to take place fairly and proportionately.
If an organisation says that they can’t share data with you because of UK GDPR, you may wish to ask them for the reasoning behind their decision. You should, in any event, explain to them what you intend to do with the personal data and why it is necessary to share the data. The ICO would not penalise organisations for sharing personal data to protect a child. If you need further guidance, we run a dedicated advice service, which you can find here.
8. How can the ICO help to tackle cultural issues and embedded practices, which are some of the biggest barriers in sharing data?
Our data sharing information hub provides clear guidance, case studies and tools on how to share data lawfully. It also addresses some of the common myths and misconceptions about data sharing.
We recommend that organisations provide data protection and information governance training to all staff on a regular basis. Training within the workplace helps to tackle some of the cultural and organisational barriers to data sharing. View our training resources that organisations can use.
The ICO has delivered seminars and workshops on this issue and is continuing to do so.
We always welcome any suggestions about what we can do to help to tackle cultural barriers to data sharing. Please email [email protected] with any comments.
9. What work is the ICO doing to help children understand data protection law and their rights?
Children are a key data protection theme for us. A child’s personal data merits particular protection under the UK GDPR. We have already done a lot of work in this space, but there is still further to go.
In 2021, our Children’s code came into effect. The code is a data protection code of practice for online services, such as apps, online games and web and social media sites, likely to be accessed by children. Standard 15 of the code explains that online services must produce tools which help children understand and exercise their rights. Find more information on the code on our dedicated Children’s code hub.
We have also set up an advisory panel in order to ensure that we:
- remain responsive to children’s issues;
- support industry; and
- engage with children, parents and schools on data protection issues.
We also have resources for teachers on our website.
10. Will the ICO’s resource on data sharing in children’s safeguarding settings be applicable to other regions in the UK?
The ICO is producing a resource to aid people working in children’s safeguarding settings across the UK.
The resource will provide practical advice to steer people to tools they can use to assist with data sharing. This includes privacy notices, DPIAs and legal pathways. We are also hoping to include some case studies to share best practice. Please get in touch if you have any relevant case studies that you would like to share with us.
The ICO has regional offices in England, Wales, Scotland and Northern Ireland. We work closely with Children and Young People’s Commissioners and equivalents in these countries and regions.
11. Do I have to share personal data requested by the police?
The UK GDPR, together with the DPA 2018, does not force you to disclose personal data with law enforcement authorities such as the police. It provides a framework to allow you to share personal data, as long as you have taken the necessary steps. For example, you must determine an appropriate lawful basis for sharing. You can find more information on our website:
Any obligation to share information with law enforcement authorities is outside the remit of data protection law.
12. What risk assessment should I undertake before sharing data?
Under the UK GDPR you must undertake a data protection impact assessment (DPIA) if the processing is likely to result in a high risk to people. However, even if you are not legally obliged to carry one out, it is very beneficial for you to follow the DPIA process.
A DPIA is a process to help you identify and minimise the data protection risks of a project. View our guidance on DPIA.
Our data sharing code advises organisations to consider having a data sharing agreement. Data sharing agreements:
- set out the purpose of the data sharing;
- cover what happens to the data at each stage;
- set standards; and
- make the roles and responsibilities of all parties clear.
Having a data sharing agreement in place helps you to demonstrate you are meeting your accountability obligations under the UK GDPR. It also helps you to identify and mitigate against risk. View our guidance on data sharing agreements.
13. How can I prevent data that I’ve lawfully shared being used further down the line unlawfully?
It’s important when sharing data that everyone understands their role. This is one of the reasons why we recommend that organisations planning to share data enter into a data sharing agreement. This sets out everyone’s roles and what is happening to the data at various stages. The document could include instructions on what to do or not do with the personal data, including information on any restrictions about onward sharing. You should also include these matters in the contract or arrangement mentioned below.
The UK GDPR requires controllers sharing with processors to have a written contract in place. The UK GDPR also requires joint controllers to put in place an arrangement. You can find more information on this on our controllers and processors guidance.
It is important to remember that when an organisation chooses to share personal data, they must consider the purpose limitation principle. This means considering whether sharing the data is compatible with the original purpose for processing. For more information on this, visit our purpose limitation guidance.